On 30 Jun 2016, at 22:00, Andrew Ayer <[email protected]> wrote: > > On Thu, 30 Jun 2016 15:54:02 -0400 > Jonathan Rudenberg <[email protected] <mailto:[email protected]>> > wrote: > >> >>> On Jun 30, 2016, at 15:44, Christiaan Ottow <[email protected]> >>> wrote: >>> >>> The certificates we had issuedto us as proof of concept (only for >>> our own domains), were not revoked and we don't see them in the CT >>> logs. However, we informed StartCom that we had only issued >>> certificates for domains under our control, so I can imagine no red >>> flags were raised by their helpdesk. >> >> The lack of CT logging is interesting, as StartCom claims that all >> certificates they issue are being logged to at least three CT >> servers: https://www.startssl.com/NewsDetails?date=20160323 >> >> Do you mind uploading the certificate files that were obtained >> somewhere and linking us to them? > > It would be best not to release the full certificates quite yet, since > doing so would make it impossible to determine who logged them if they > later show up in CT logs. > > Providing a hash of the certificate and the contents of the SCT > extension, if any, would be OK. > > Regards, > Andrew
We acquired certificates for a private domain (and some subdomains) of the tester in question, and one for our domain pine.nl. Details of the latter are attached, with the modulus and signature left out. The SHA256 fingerprint of the certificate is: A7:E5:BD:6E:81:8F:A8:CE:FD:73:97:32:70:06:89:59:98:86:33:5A:06:7E:FD:ED:EA:B6:19:B3:3F:67:F6:A1 Kind regards, Christiaan Ottow CTO Security Computest • Pine Digital Security M: +31 (0) 6 51997213 • T: +31 (0) 88 7331337 E: [email protected] • I: www.computest.nl A: Signaalrood 25 • 2718 SH Zoetermeer P: https://www.pine.nl/4eo3UYWmU.asc Pine Digital Security is part of Computest
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
